I share KimonÃ­s concerns here. We heard about the Dutch law on yesterdayÃ­s call but itÃ­s one of only 3 countries that have implemented the cookie law. And, as Kimon, points out, the UK has a different approach. Then, with the pending data protection regulation working its way through the EU Parliament, we may have a different EU standard to deal with in 2 years, but nobody really knows for sure.
Not to rain on the EU, but it feels odd to me that weÃ­re trying to build our spec to accommodate/comply with the EU when even the EU doesnÃ­t know what compliance looks like. If we can provide some basic functionality that could be useful in the EU, then great. But, letÃ­s not go out of our way to try to build for EU compliance because nobody knows what that might look like.
I donÃ­t mean to shut down this conversation unnecessarily, but it does feel like weÃ­ve spent a lot of time on this discussion with no real work to show for it.
From: Kimon Zorbas [mailto:vp@iabeurope.eu]
Sent: Thursday, June 14, 2012 2:33 PM
To: rob@blaeu.com; Vinay Goel (Adobe); public-tracking@w3.org
Subject: Re: Examples of successful opt-in implementations
Rob, colleagues,
I am sorry, but I have serious problems with the way this group works and operates. I do not believe that we need to delve into (European) legal discussion and would appreciate if we could conclude in Seattle for once and forever about the role of Article 29 WP.
Rob, you are pushing so hard for the acceptance of Article 29 WP opinion as the word of God on data protection issues (and others also, to be fair) and I don't understand what you are trying to achieve with this.
We may like what Article 29 WP says or not, but FACT is that it is JUST an opinion. It is not the law. And, frankly the UK, one of the most engaged EU Member States, is not following the supposed 'baseline'.
Kind regards,
Kimon
From: Rob van Eijk <rob@blaeu.com>
Reply-To: "rob@blaeu.com" <rob@blaeu.com>
Date: Thursday 14 June 2012 20:07
To: "Vinay Goel (Adobe)" <vigoel@adobe.com>, "public-tracking@w3.org" <public-tracking@w3.org>
Subject: Re: Examples of successful opt-in implementations
Resent-From: <public-tracking@w3.org>
Resent-Date: Thursday 14 June 2012 20:08
Hi Vinay,
Thanks for the rapid respons. I see you are addressing three things. The
opinion, the mind model
and the scope.
First the opinion: I argue that the opinion isn't just an opinion. It is
a common baseline, expressed
by the dpa's who will enforce the legal framework. That expression is,
in the light of differences
in national implementations, not to be taken lightly. The common
baseline expresses what all dpa's
see as a reasonable and defendable position that doesn't conflict with
national laws. You can see
clearly in the case of the first party analytics, how far the consensus
went.
p. 10: "However, the Working Party considers that first party analytics
cookies are not likely to
create a privacy risk when they are strictly limited to first party
aggregated statistical purposes
and when they are used by websites that already provide clear
information about these
cookies in their privacy policy as well as adequate privacy safeguards.
Such safeguards are
expected to include a user friendly mechanism to opt-out from any data
collection and
comprehensive anonymization mechanisms that are applied to other
collected identifiable
information such as IP addresses."
This means that not all dpa's were able to see first party analytics as
functional with respect
of the national implementations.
An important function of the opinion is to give advice to the European
legislator. That is why
on the next page we included an advise.
p. 11: "In this regard, should article 5.3 of the Directive 2002/58/EC
be re-visited in the future, the
European legislator might appropriately add a third exemption criterion
to consent for cookies
that are strictly limited to first party anonymized and aggregated
statistical purposes.
First party analytics should be clearly distinguished from third party
analytics, which use a
common third party cookie to collect navigation information related to
users across distinct
websites, and which pose a substantially greater risk to privacy."
Second, the mind model applied to first-party analytics: in most
countries you wouln't
need to call for an exception. As explained above, getting first-party
analytics into the
category of functional cookies in all jurisdictions just wasn't possible.
Third, the scope: no, I am not arguing for a scope increase. Getting a
standard to Last Call
with the scope as it is, is already a difficult task. What I ask for, is
to have the usefulness
of the re-usable technical building blocks in the back of our minds
while creating a meaningful
standard. The scope is what it is.
mvg::Rob
On 14-6-2012 19:07, Vinay Goel wrote:
Hi Rob,
Hoping you can help me understand your mind model since applying it is
complex given the very different approaches to ePrivacy compliance across
the member states. Different markets are defining what a 'functional
cookie' is differently. And, I know you shared the Working Party's
opinion; but its just that -- an opinion by the Working Party, not
specific law or guidance from a DPA.
Assuming you take the Working Party's opinion that first-party site
analytics is not a strictly necessary function, is your mind model
suggesting that the first party needs to use the DNT exception mechanism
or well-known URL in order to use the data for users that have DNT:1 for
first-party analytics? If so, isn't that an increase in the scope (where
you say "I am also not arguing that first parties must be subject to DNT")?
Thanks in advance.
-Vinay